Information Security Careers

The changing role of the CSO

In the last few months I’ve been hearing more and more from CEOs, CIOs and CSOs about the changing role of the CSO (or CISO, depending on your org chart) in the enterprise. In the past, the CSO has nearly always been a technically minded person who has risen through the IT ranks and then made the jump to the executive ranks. That lineage sometimes got in the way when it came time to deal with other upper managers who typically had little or no technical knowledge and weren’t interested in the minutiae of authentication schemes, NAC and unified threat management. They simply wanted things to work and to avoid seeing the company’s name in the papers for a security breach.

But that seems to be changing rather rapidly. Last month I was on a panel in Chicago with Howard Schmidt, Lloyd Hession, the CSO of BT Radianz, and Bill Santille, CIO of Uline, and the conversation quickly turned to the ways in which the increased focus on risk management in enterprises has forced CSOs to adapt and expand their skill sets. A knowledge of IDS, firewalls and PKI is not nearly enough these days, and in some cases is not even required to be a CSO. One member of the audience said that the CSO position in his company is rotated regularly among senior managers, most of whom have no technical background and are supported by a senior IT staff member who serves as CISO. The CSO slot is seen as a necessary stop on the management circuit, in other words. Several other CSOs in the audience said that they no longer report to the CIO and are not even part of the IT organization. Instead, they report to the CFO, the chief legal counsel, or in one case, the ethics officer.

The number of organizations making this kind of change surprised me at the time. But, in thinking more about it, it makes a lot of sense, given that the daily technical security tasks are handled by people well below the CSO’s office. And many of the CSOs I know say they spend most of their time these days dealing with policy issues such as regulatory compliance. Patrick Conte, the CEO of software maker Agiliance, which put on the panel, told me that these comments fit with what he was hearing from his customers, as well. Some of this shift is clearly attributable to the changing priorities inside these enterprises. But some of it also is a result of the maturation of the security industry as a whole, which has translated into less of a focus on technology and more attention being paid to policies, procedures and other non-technical matters.

How this plays out in the coming months and years will be quite interesting. My guess is that as security continues to be absorbed into the larger IT and operations functions, the CSO’s job will continue to morph into more of a business role.

Flaw finder joins Microsoft

Billy (BK) Rios had already made quite a name for himself in the hacker community before he started making major headlines over his warnings of a critical URI flaw in Windows. It took Microsoft months to acknowledge the vulnerability, but somewhere along the line someone in Redmond was impressed enough with Rios’ skills that he was offered a job.

Security blogger Ryan Naraine writes in his Zero Day blog that Rios — formerly a senior security consultant for VeriSign and a penetration tester for Ernst & Young’s Advanced Security Center — has been hired as a security engineer.

It’s a smart move on Microsoft’s part. Better to have a prolific vulnerability finder penetrating your products from the inside than having him out there finding problems independently and making big headlines that are usually not very flattering for the software giant.

Microsoft also deserves credit here because the hiring shows it is deadly serious about making its products more secure.

TJX seeks experienced IT security manager

Here’s some actual proof that TJX is trying to do something about the security holes that allowed hackers to repeatedly access its network and steal data on some 45 million customers: A job posting listed on the IT Toolbox site is for an IT security architecture manager position at TJX.

The full-time gig is based in Framingham, Mass., and the retail giant wants someone with “very strong technical security background in both the mainframe and distributed environments.”

Why work for a company with such a battered security reputation? Here’s the TJX spin:

“With over $17 billion in revenues, eight businesses, more than 2,300 stores, and close to 120,000 associates, success is always in style at TJX. We at TJX understand that both our customers and the talent pool from which our Associates come are increasingly diverse. Our core values of respect, integrity and fairness are inherent in the relationships we build with each other, our vendors and our customers. We are committed to leveraging the differences among our Associates and customers to create both a diversified mix of talent within TJX and a diversified mix of merchandise within our stores. We consider the unique views and opinions of our associates to be the key to our growth and success in the future.”

There are two reasons this job may be worth going for: Given the company’s need to recover from its data breach, the pay is probably pretty decent. And there’s a chance to become the man or woman who turns the company’s security situation around.

Read the full job description here.

Cryptography and the double yellow line

While perusing the security blogosphere this week I came across a pretty amusing entry in the Worse than Failure blog from Alex Papadimoulis, principal member of Inedo, LLC, an Ohio-based company that sells productivity software to small and mid-sized businesses.

He presents a few job interview scenarios, including this gem about a job candidate boasting about how great he is at cryptography:

“Near the end of a technical interview, Paco H. was asked a rather blunt question from the candidate he was interviewing: ‘Hey, be straight with me. How am I doing?’ Paco replied with the truth: not too well. The candidate was a bit disappointed, so Paco gave him a chance of redemption.
Paco: So, tell me, what are you great at?
Candidate: What am I good at?
Paco: No, no. What are you *GREAT* at?
Candidate: Hmmm. (a few seconds pass) Cryptography!

“Fortunately, Paco knew a thing or two about cryptography, and knew where to begin a line of questions.
Paco: Ok. Well let’s just start with the basics. Tell me the difference between asymmetric and symmetric cryptography.
Candidate: Well, the way I see it is like this. The symmetric cryptography is like when you’re driving down the road and there’s a dotted line down the middle and cars are going both ways. Asymmetric cryptography is like when there’s a double yellow line.

“Paco opted to pass, after all.”

No big points to make about this one. I just had to share it.

Now for some items I do want to weigh in on…

The Chinese cybersecurity threat

The Darknet blog has an item about the recent reports of China hacking into U.S. military systems. Of course, Chinese Premier Wen Jiabao denies his country’s military would ever do such a thing because, after all, “the government has opposed and forbade any criminal acts undermining computer systems, including hacking.”

Darknet isn’t buying it and neither am I.

Darknet’s response: “Forbade eh? More likely to be encouraged. Cyber terrorism and cross border attacks for information gathering are not restricted to the realms of movies.”

My two cents: Evidence has steadily mounted in the last two years that China has been trying to hack into government systems. There has been plenty of speculation as to whether the military has been actively involved or whether the government has independent hackers doing the dirty work for them. But in the final analysis, everything I’ve seen makes it clear something sinister is afoot.

I’m reminded of how the U.S. government learned two years ago about ongoing attacks it eventually dubbed Titan Rain. In those attacks, Chinese Web sites targeted computer networks in the Defense Department and other U.S. agencies, compromising hundreds of unclassified networks. Though classified information wasn’t taken, officials worried that even small, seemingly insignificant bits of information can paint a valuable picture of an adversary’s strengths and weaknesses when pulled together.

I’m sure some Chinese hackers are doing some of these things on their own and not on behalf of their government. But it’s hard to believe, given the choice of targets, that there isn’t some government involvement somewhere.

The probability of government-backed attacks was the focus of a Financial Times article my colleague Dennis Fisher blogged about this week. According to the article, some people using IP addresses belonging to the People’s Liberation Army were able to penetrate a portion of the Pentagon’s network to such an extent that part of it was shut down earlier this summer.

Dennis wrote that the extent of government involvement is probably overblown, and that the talking heads will probably use the story to generate FUD about a coming cyber apocalypse. He’s right about that. We saw an example of that following the attacks against Estonia. He’s also right that virtually every major nation is conducting various scanning, reconnaissance and surveillance operations against the networks of its enemies–and perhaps some of its allies.

But this is an example of vulnerability in the U.S. IT infrastructure, and one hopes the cyber specialists in Washington are working to address it. And while there’s no justification for FUD, there is a lesson for IT professionals in the private sector. If the hacking community can punch holes in Pentagon systems, they can do it to any company, anywhere.

Making e-voting more secure

With the increased use of electronic voting machines, many in the security community have called for better ways to secure it all, including Ed Felten, professor of computer science and public affairs at Princeton University. Felten notes in his Freedom to Tinker blog that the U.S. House of Representatives is poised to vote on a bill that would push things in the right direction.

H.R. 811, Felten wrote, gets the big issues right, requiring a voter-verified paper ballot with post-election audits to verify that the electronic records are consistent with the paper ballots.

Felten continues: “The bill is cautious where caution is warranted. For example, it gives states and counties the flexibility to choose optical-scan or touch-screen systems (or others), as long as there is a suitable voter-verified paper record. Though some e-voting activists want to ban touch-screens altogether, I think that would be a mistake. Touch screens, if done correctly — which no vendor has managed yet, I’ll admit — do offer some advantages. Federalism makes sense here: let localities make their own choices, as long as basic standards, such as the paper-trail and audit requirements, are met. Down the road, we may be glad that we left room for better touch-screen systems to develop.”

However the House votes on this, I agree we need to move carefully on e-voting. It will ultimately be a major improvement over paper balloting, but there are still too many security holes to rely on the machines without a paper trail and some auditing.

The ballad of Zango

Erica George at StopBadware.org wrote a blog entry this week about Zango’s latest legal woes. She notes that Zango — a poster child for bad behavior in the eyes of many antispyware crusaders — recently struck out in its lawsuits against two anti-spyware software vendors. Zango, she notes, used the suits to challenge makers of security software that labeled its products as spyware. On one front, Zango dropped a suit against PC Tools after declaring that the company modified its software to warn against Zango software rather than automatically removing it. But, she wrote, PC Tools says it modified its software before Zango’s suit was ever filed and hails Zango’s decision to drop the suit as a vindication.

On another front, a federal judge ruled against Zango in a similar case against Kaspersky Lab. The ruling found that the federal Communications Decency Act, Section 230(c )(2), creates a “safe harbor” for producers of tools used to filter “objectionable content.” The judge noted that in the context of the safe harbor provision, objectionable content is not limited to content that is actually objectionable, but includes material that users and software providers consider to be objectionable. The court granted summary judgment for Kaspersky, effectively ending the case, George notes.

“In affirming the rights of security software vendors to classify applications based on the vendors’ own guidelines, the Kaspersky ruling sends a clear message that software producers cannot use lawsuits or the threat of lawsuits to challenge security vendors’ decisions,” George wrote.

Zango has been trying for years to shake off its reputation as a pusher of unwanted software, and the lawsuits against security companies are one way it chose to do that.

But the lawsuits backfired, and rightly so. When I talk to IT professionals about their spyware challenges, nobody jumps up to defend Zango. As far as they’re concerned, any unwanted program that bogs down their networks is evil and they want their security vendors to find and flag it.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Technorati Tags: Cryptography, zango, evoting

Google’s presence at Black Hat

Among the vendor booths at Black Hat was Google, with several representatives pushing pastel colored pens. Google has been bolstering its security of late. It acquired Postini for $635 million earlier in the month and before that Greenboarder Technologies. It even launched a security blog to add some transparency to its security related strategies. At Black Hat, Google stuck out like a sore thumb with its booth among more than a dozen security vendors. The company wasn’t necessarily there to show off it’s recent moves. And probably it wasn’t even there to show that it is serious about security. Instead, the representatives were networking with the 3,000 or so security pros and touting two new security jobs it plans to fill in the near future. However, the fact that it’s in hiring mode and making moves to lock down its Web-based applications, which security pros say are at an increased risk of being an easy target for attackers, shows that someone at the search engine giant is making security a priority. Do you think it can apply the same priority and transparency to its data privacy practices?

Technorati Tags: Google+security, data+privacy, Security+jobs

Security certifications gaining value - good times are here

Companies are beginning to seek out more security talent in niche areas according to the latest job skill and certification research from Foote Partners LLC. Security certification premiums increased 2.2% over the last six months compared to other areas that are flat or losing ground, according to David Foote, president of the research firm. I interviewed Foote today to find out what niche areas may be highly coveted.

The premiums could be embedded into base pay or in addition to base pay in terms of bonus or variable pay. Among the certifications paying a premium: (There’s no big surprises here) certified information systems security professionals (CISSP), certified information systems auditor (CISA), certified information security manager (CISM). Some extensions doing well: CISSP - management and professional, architecture and professional, engineering professional. These are earning between 10-16% of base pay.

Foote said that on average, for one certification in information security, people are earning 9% of base pay. Out of 151 certifications that Foote Parnters surveys, overall the average individual certification is at 8% right now. Only 1% more than the average may not seem like much, but Foote said it is significant, because security certification premiums are surging while many of the other certifications have been declining over the last year.

Some security skills in high demand: Autocorrelation, incident response, forensics, packet-level network skills, applications network use and packet skills, identity management and LDAP, wireless security, VoIP security, and Legal compliance, audit and remediation.

Foote also said that small specialty security consultancies are having trouble filling positions. Although Foote’s survey has had a pretty good finger on the pulse of the job market, (he says he tracks over 67,000 IT worker salaries and IT skills pay), it’s still very hard to know exactly how the job market is doing since there’s so many factors involved. I’m curious as to what you’re seeing in the job market. Is it easy to get a security job today? How do you make yourself stand out to a prospective employer? Comment here or send me an email at rwestervelt [at] techtarget [dot] com.

Technorati Tags: security+jobs, job+market, security+certifications,

Security researcher shocked at CIO, CISO grasp of security concepts

How knowledgeable is your CIO or CISO about the latest security technologies or even the most basic security concepts?

Writing about her recent experiences speaking at several security conferences, security researcher Joanna Rutkowska, said in her Invisible Things blog recently that she was shocked at the level of understanding many CIOs and CISOs had about basic security concepts.

Rutkowska keynoted at the InfoSecurity conference in Hong Kong. Her central message was that “technology is just as flawed as the so called ‘human factor,’ understood here as a user’s unawareness and administrator’s incompetence.” Rutkowska said that although it was the least technical presentation she’s ever given in her life, it was still perceived as too technical by the audience.

“And I didn’t even mention any specific research I’ve done – just some standard stuff about exploits etc…,” Rutkowska wrote.

In a discussion panel after the keynote, Rutkowska observed that some CIOs and CISOs were naïve to many basic security concepts.

I’m sure some upper level IT pros go to security conferences to gain a higher level of understanding of security technologies. But if you’re going to be a presenter or taking part in a panel discussion, you should probably have a basic level of IT security knowledge. Do CIOs and CISOs have an agenda when they take part in a security conference or are they really there to give attendees insight on ongoing IT projects?

Technorati Tags: CIO, CISO, Joanna+Rutkowska,

(ISC)2 adds new CISSP requirements

The International Information Systems Security Certification Consortium (ISC)2, which administers the CISSP exam, said Tuesday it’s adding some new requirements to the certification.

In a press release, the organization said its board of directors approved new professional experience and endorsement requirements. Starting Oct. 1, the minimum requirement for certification will be five years of relevant work experience in two or more of the 10 domains of the CISSP CBK — a taxonomy of infosec topics recognized by professionals worldwide — or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. CISSP candidates currently must have four years of work experience or three years of experience with an applicable college degree or credential from that list, in one or more of the 10 CISSP CBK domains.

Also effective Oct. 1, CISSP candidates will be required to obtain an endorsement exclusively from an (ISC)2-certified professional in good standing. Currently, candidates can be endorsed by an officer from the candidate’s organization if no CISSP endorsement can be obtained.

Technorati Tags: Security+certifications, ISC, CISSP

Free online fraud toolkits proliferate accross the Web

One of the reasons online fraud is escalating so dramatically is that the bad guys have easy access to malware kits available for free on the Internet.

Chris Young, VP of consumer solutions & the Access Solutions Group at RSA, outlined the scope of the problem Tuesday at the company’s eFraudNetwork Live event in New York City.

“Kits are being sold that allow the less tech savvy to set up phishing attacks,” he told a group of reporters and financial services practitioners during a luncheon round-table chat at the Roosevelt Hotel. “We’re also seeing more cross-channel fraud where attackers are going after things like phone services.”

Phishing seems to be the most popular kind of attack these days, and Young is not expecting that to change anytime soon.

Meanwhile, he said, most attacks are being traced back to U.S.-based PCs that have been hijacked into botnets under the command of a variety of digital miscreants — including drug addicts looking to make easy money to pay for their next fix.

Technorati Tags: Botnets, phishing, maleware+kits

WOOT, there it is

We all know the security conference schedule is already overcrowded, but there’s always room for another good one. The folks at USENIX this summer will be putting on a new workshop called WOOT–Workshop on Offensive Technologies–at their annual security conference here in Boston. According to the workshop’s site, it will be focused on understanding new attacks. It will be by invitation only, but if the makeup of the program committee is any indication of the level of content WOOT will have, I’d suggest calling in any favors you can to wangle an invitation to this one. Greg Hoglund, Nate Lawson, Halvar Flake, David Litchfield and Thomas Ptacek are all on the committee. Not too shabby.

The call for papers for the conference has just been posted, so if you want to guarantee yourself a spot, submit a cool paper. Maybe something on, oh, rootkits, or reverse engineering might grab the committee’s attention.

Technorati Tags: WOOT, USENIX, security+conference